Messages

1

16.1 Legacy Series / Intrusion detection with PPPoE over VLAN

« on: July 22, 2016, 01:36:04 pm »

My ISP uses PPPoE over a VLAN. AFAIK, IDS only works on the physical interface when using PPP. Indeed, when I set the IDS to monitor the WAN interface, no rules ever fire. So I tried, in the IDS setup, to remove the WAN interface and choose the physical interface (igb1) to be monitored. However, I can choose both other NIC's, but not the WAN NIC.

Could it be that because I have PPPoE on this NIC, it doesn't even show up?

I've tried enabling promiscuous mode, but that doesn't seem to change the behavior either.

What could I do to monitor the physical WAN NIC?

2

16.1 Legacy Series / Re: Could someone on xs4all with working ipv6 post their /var/etc/dhcp6c_wan.conf

« on: July 21, 2016, 04:56:52 pm »

Yes, it was resolved. So, I won't need a copy of a working setup anymore. 

3

16.1 Legacy Series / Re: dhcp-pd: default ipv6 route setup fails

« on: July 17, 2016, 12:28:58 pm »

Ah, that did it... would never have looked for dhcp6c logging under dhcp  Turned out I had, after all the tests I did, some errors in my dhcp6c_wan.conf. Fixing those and running dhcp6c manually started the PD and ipv6 routing is working now.

I'll have to resort to manually starting PD for now and I'll wait for the new version to solve it permanently.

Thanks

4

16.1 Legacy Series / Re: dhcp-pd: default ipv6 route setup fails

« on: July 16, 2016, 01:22:52 pm »

I tried starting the dhcp6c client on the WAN manually:

Code: [Select]

/usr/local/sbin/dhcp6c -d  -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_pppoe0.pid pppoe0
It just fails silently; nothing on the cli, nothing in the system.log, just exit == 1

It's normally called from /var/etc/rtsold_pppoe0_script.sh. That script logs a message. That message doesn't appear in system.log So, I think I can conclude that the rstold script isn't even started.

What could cause trsold not to be started? What part of the system calls this rtsold_xxx script normally?

5

16.1 Legacy Series / Re: dhcp-pd: default ipv6 route setup fails

« on: July 12, 2016, 11:44:52 pm »

Are you allowing inbound IPv6 ICMP?

Certainly, on the WAN ipv4/ipv6 ICMP any to any... can't be more open than that :-/

6

16.1 Legacy Series / [SOLVED] working /var/etc/dhcp6c_wan.conf for xs4all ipv6 setup?

« on: July 12, 2016, 09:29:12 pm »

The topic says it all. I'd like to check the contents of my dhcpv6 WAN interface setup with a working one... so if you're using the provider XS4all and you've got ipv6 working, please post the output of

Code: [Select]

cat /var/etc/dhcp6c_wan.conf

7

16.1 Legacy Series / Re: dhcp-pd: default ipv6 route setup fails

« on: July 12, 2016, 08:01:05 pm »

I'm not on XS4ALL, but I had similar issues.

Instead of tracking the WAN, I've picked a /64 subnet from my /48 for the internal LAN and assigned a static IPv6 from that to the LAN interface.

I configured OPNsense to send router advertisements on Services, DHCPv6, Advertisements as Unmanaged with high priority. This lets all internal hosts pick up a working IPv6 stack through SLAAC.

Bart...

Thanks for the reply 

I already did the same as you and on the LAN / DMZ side all is fine.

My problem however is on the WAN side. I do get the gateway for ipv6, but no routing takes place. There's a default route, but no route table entry linking this default gateway to an interface, so the ipv6 default route doesn't function.

I've since done a tcpdump on the WAN and I see unsolicited Router Advertisements from the gateway, so far so good. But a continuous stream of Neighbor Solicitations send to the gateway remain unanswered. I'd expect Solicited Router Advertisements in reply. That's strange.

More interesting is that there's no DHCPv6 deamon running and that I don't see any dhcpv6 activity on the WAN. I'd expect dhcpv6 to be running when I set the WAN ipv6 address to dhcpv6. Since that doesn't happen, it obviously doesn't do a Prefix Delegation request and thus there's no configured routing probably.

What I currently can't understand is why the dhcpv6 deamon doesn't run, even when the WAN interface is setup to get it's PD through dhcpv6?

8

16.1 Legacy Series / Re: dhcp-pd: default ipv6 route setup fails

« on: July 11, 2016, 09:25:31 pm »

I've made a tcpdump on the igb1_vlan6 interface where the WAN pppoe tunnel is started. I can see the ppp setup both for ipv4 and ipv6 (PPP IPCP & PPP IPV6CP). Maybe that's where the ipv6 gateway originates.

Anyhow, there's no DHCPv6 traffic after pppoe setup is done. So, it seems no PD request is performed at all. In both configs that I tried, a prefex request was explicitly configured. What could cause the dhcpv6-pd to not run?

9

16.1 Legacy Series / Re: dhcp-pd: default ipv6 route setup fails

« on: July 10, 2016, 07:01:41 pm »

Since my last post I've changed the setup by moving the PD setup to the advanced section of the WAN setup. Now everythng is almost fine: ipv4 still works, on the ipv6 side I get an WAN ipv6, and a gateway. The gateway is added as default route to the WAN without any issues, as I can tell from the route.log. However, routing to the outside still doesn't work.

In the GUI I don't see the added default gateway for ipv6, only the ipv4 one. Netstat -r -n however does show an entry for the correct ipv6 default gateway, only the entry linking the default ipv6 route to the WAN pppoe is missing! The route.log doesn't show anything that might shed some light on this issue.

What could cause this gateway ipv6 -> WAN pppoe routing table entry to be missing?

10

16.1 Legacy Series / [SOLVED] dhcp-pd: default ipv6 route setup fails

« on: July 05, 2016, 11:15:26 pm »

I've got a problem getting DHCP-PD to work for my ISP xs4all. There's a nice tutorial for xs4all & ipv6 (in Dutch, http://blog.firewallonline.nl/how-to-en-tutorials/xs4all-pfsense-opnsense-ipv6/) that I followed. Others report succes, I can't get it to work.

I run the latest OPNsense 16.1.18-amd64.

The setup boils down to this:

- setup WAN with PPPoE for ipv4 and DHCPv6 voor ipv6
- setup DHCPv6 to use the ipv4 connectivity and request only a /48 prefix delegation
- setup the LAN to ipv4 static and ipv6 to track the WAN interface with prefix id 0.

This results in a working ipv4 connection but a semi working ipv6 setup:

- I do get a ipv6 ip and gateway
- I can ping6 the ipv6 gateway, but nothing beyond that
- I don't get a ipv6 on the LAN nic

When I look in the log I noticed there seems to be a issue setting up the default route to the gateway:

opnsense: /usr/local/etc/rc.newwanipv6: rc.newwanipv6: on (IP address: fe80::20d:b9ff:fe41:e490) (interface: wan) (real interface: pppoe1).
opnsense: /usr/local/etc/rc.newwanipv6: ROUTING: setting IPv4 default route to 194.109.5.175
kernel: IPv6 address: "fe80:b::2a0:a50f:fc78:5530" is not on the network
opnsense: /usr/local/etc/rc.newwanipv6: The command '/sbin/route delete -inet6 'default' 'fe80::2a0:a50f:fc78:5530%pppoe1'' returned exit code '1', the output was 'route: writing to routing socket: No such process delete net default: gateway fe80::2a0:a50f:fc78:5530%pppoe1 fib 0: not in table'

When I look in the route table I notice:

    - an entry for my ipv4 gateway, but not for ipv6
    - an default route for my ipv4 gateway, but not for ipv6

I tried many things, but this is the best result I could get. What could be causing the default ipv6 route setup to fail? What can I try to remedy this?